FTC crackdown on GoodRx sends a message that private consumer data must be protected
Since 2017, GoodRx has helped millions of people find deals on prescription drugs via an app and website. But what its customers may not have known is that the Santa Monica-based health company had also been sharing information about their prescriptions and illnesses with third parties such as Google and Facebook for advertising purposes.
Last week, the Federal Trade Commission fined GoodRx $1.5 million for violating customers’ privacy by failing to notify them about how their data were being used. This is the first time the FTC has used a law known as the Health Breach Notification Rule, which is designed to hold accountable for data privacy protections the companies that aren’t covered by the Health Insurance Portability and Accountability Act, the federal health privacy law known as HIPAA.
Good. The enforcement action is a warning to other tech firms at a time of growth in the industry. Increasingly consumers are using apps and wearable devices to monitor their health, and they should know exactly how their personal information is being used.
It’s heartening that the administration is taking action to protect consumers. In his State of the Union address this week, President Biden advocated for stronger data privacy controls and other protections to rein in technology firms.
The FTC says GoodRx, whose founders include former Facebook employees, used tracking technology and other software that captures consumer information such as the drugs for which a consumer had requested a coupon, the condition those drugs treat and personally identifiable information such as IP addresses. If a user inquired about a prescription drug for a sexual dysfunction condition, that user might have been targeted by ads for that condition on social media.
GoodRx, which claims to have saved consumers about $45 billion in prescription drug costs since the company was founded in 2011, denies any wrongdoing. The company says it never shared medical records, that third parties were not allowed to share health data further, and that the same tracking technology is used on many websites, including some used by the U.S. government. But the company agreed to the terms of the settlement, which needs to be approved by a judge, to avoid the costs of further litigation.
Seeing ads mentioning an embarrassing medical condition in your personal social media feed may seem like a small price to pay to get a reduced price for a medication, but data privacy specialists say that it could come with serious consequences. For example, data brokers could compile a list of people with cancer that could be used by scam artists marketing a fraudulent treatment.
This action by the FTC is a step in the right direction in guarding consumer health data. For too long, consumers have unwittingly handed over sensitive health information simply by using health apps or other technology devices. This makes it clear that these tech firms must disclose their intentions when collecting consumers’ health data.